Microsoft: People are too stupid to remember a bunch of complex passwords

Researchers at Microsoft are now arguing that people should reuse simple passwords on unimportant sites to make it easier to remember the unique, complex passwords used for more important sites, like those which store banking information or other sensitive data. Here's how the researchers' conclusion reads, at least in part. Fair warning -- it's a bit dry, given that this was published for consideration by other researchers, not for consumers who worry about things like "being entertained" or "having things simply explained."

A starting point for our analysis was the critical observation that to be realistic, efficient password management should consider a realistic suite of attacks and minimize the sum of expected loss and user effort. Our model yields detailed results; it indicates that any strategy that rules out weak passwords or re-use will be sub-optimal [...] We find that optimally, marginal return on effort is inversely proportional to account values. We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea. Far from optimal outcomes will result if accounts are grouped arbitrarily.

Now here's how someone tasked with explaining this concept in simple, readable terms might write that paragraph: Expecting the average person to remember a bunch of unique passwords is like expecting a husband on a sitcom to remember his anniversary. Therefore, it's better to take that stupidity into account by reusing passwords. But you'd better be smart about selecting the sites that use the same password -- an important site can be lost in a group of unimportant ones just as easily as an anniversary can be lost in an overflowing sea of sitcom tropes like "in-laws visiting" or "family road trip."

There are going to be exceptions to the rule. Some people can remember unique passwords for every site they've ever visited; But the average person, much like the average Tim "The Toolman" Taylor or King of Queens, is better off with their intelligence left untested. Any strategy meant to preserve their wellbeing, whether it's from hackers or from their stereotypically shrill sitcom wives, should cater to that.

Passwords are going to be a nuisance no matter what. Having to change them when something like the Heartbleed bug compromises the security of an estimated two-thirds of the Internet is frustrating. Not being able to change them when companies start to rely on biometric security is going to be more frustrating still. Receiving hundreds of text messages, like the Wall Street Journal's Christopher Mims did after using a Twitter password in the lede of a column would be downright maddening. But these researchers' suggestion might help to mitigate those problems for many consumers.

It doesn't take a bunch of researchers to know that people are stupid, and any strategy meant to protect them from themselves, as well as hackers and other nefarious attackers, should take that stupidity into account. Is it dumb to use the same password for a bunch of different sites? Sure. But it's even dumber to assume the average Internet user will remember dozens of unique passwords for sites both essential and trivial.